Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

LinkedIn is Latest Contributor to Breach Fatigue

Expert Troy Hunt waxes on last week’s LinkedIn data dump of 117 million credentials and how it reflects on a new breed of hackers.

The obvious takeaway from last week’s LinkedIn data breach revelation where we learned hackers were selling 117 million LinkedIn usernames, email addresses and passwords from a 2012 breach is, change your passwords-and often.

The not so obvious takeaways come from noted security expert Troy Hunt, creator of the cyber-breach service Have I Been Pwned? and author at Pluralsight. He maintains that the LinkedIn breach illustrates a new hacker ethos and a shifting demographic when it comes to the types of hackers riling the likes of LinkedIn, VTech, TalkTalk and other billion-dollar companies stung by a recent data breach.

“Breach data markets used to be more cloak and dagger. Now the data is a commodity. LinkedIn data is for sale on not just the dark web, but also sites like Leaked Source who are selling what are essentially day-passes to the data,” Hunt said.

When LinkedIn data surfaced on the web last week, Hunt played a small but important role in verifying the data was valid for journalists. The original LinkedIn hack occurred in 2012 and at the time was thought have involved 6.5 million users. But last week, website The Real Deal said it had 167 million SHA-1hashed LinkedIn account credentials tied to the 2012 breach for sale for 5 bitcoins or $2,200. LinkedIn filed a cease and desist order to Leaked Source and began to invalidate passwords for all accounts created prior to the 2012 breach that haven’t updated their password since.

The danger for LinkedIn users is that while most of the four-year-old LinkedIn data is garbage, there are tens of millions of email addresses out of the 117 million tied to passwords that will still unlock accounts elsewhere on the web today, Hunt said.

“With data breaches making headlines every day, we have created a social immunity to them,” Hunt said. This lessens the odds a victim might be motivated to actually take the time to change their universe of potentially impacted passwords.

Hunt says the cumulative effect a commodity market for breached data paired with the public’s breach fatigue is nurturing a new generation of hackers clueless to the social and criminal implications of hacking. He describes a type of gameification of breaches by young hackers.

“Sometimes these breaches are just kids being kids. In previous generations it might have been a juvenile delinquent spray painting a car or doing something stupid like that. In many cases (today) it’s very young hackers finding vulnerabilities and causing billion dollar brands major headaches,” Hunt said.

Not to discount a class of well-organized and seasoned hackers that do exist, but Hunt points out, it was a 15-year-old boy behind a major breach against phone company TalkTalk in 2015. In the case of a VTech breach last year it was a 21-year-old that was arrested. The VTech hacker, who exposed personal data of 12 million users and 6.4 million minors, said he did not intend to sell or use the data, but instead shame VTech for its weak security practices.

“Many of the people breaking into these systems are not aware of the severity of what they are doing? I don’t think they realize it’s highly illegal and something that they could go to jail for. It’s almost as if they don’t think they’re doing anything wrong. Rather, they view themselves as genuinely making the web a better place.”

That said, Hunt believes that the brash idealism that seemed to motivate hackers in the past may be giving rise to a new pragmatism among others within the hacker community. “The way the data is being commercialized is very mainstream. They post the data on easily accessible sites to the public and then the sellers are very shrewd and make an effort to reach out to the media to gain press coverage. It’s very brazen in that regard,” Hunt said.

In the case of LinkedIn, the data cache that surfaced last week followed a familiar hacker playbook. First there was a curation of media to raise awareness of the incident and consequently drive interest of potential buyers, Hunt said.

“That was followed by a bunch of sites popping up selling or sharing the data. Then the legal notice go out and the sites shut down and popup somewhere else. It’s beginning to sound very familiar?” Hunt said.

Discussion

It would be dangerous if end-users use the same pw across various accounts. LinkedIn, itself, is a brutal exposure of privacy by showing off your accolades. The only thing worse is surfacing your plastic to your phone. If a human resources person asks for your LinkedIn, you say, "No. That violates my security policy and privacy." What data do you need to share with free cloud? Nothing... absolutely nothing.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.